GDPR

GDPR Six Months On

Is it Working? Experts Have Their Say

Sunday 25 November marked six months since Europe’s General Data Protection Regulation came into force.

Since the 25 May, there have been a number of high-profile data breaches that have reinforced the importance of data protection, for consumer and boardroom alike.

Looking back at GDPR six months on, is it having the impact that regulators intended?

Rob Scammell spoke with C-level execs, legal experts, marketers and data protection officers to find out what’s working, what isn’t and if GDPR is having the effect regulators intended.

Share

Share this article

Public awareness of data protection “never higher”

Six months on from the GDPR deadline for compliance and we still believe a significant number of organisations are struggling with three key issues: data sprawl, a huge influx of personal customer information and uncertainty around data ownership.

Public awareness of an organisation’s responsibilities around data protection have never been higher – with breach complaints to the Information Commissioner’s Office on the increase. Reputations and revenues are on the line. Now is the time to ensure a long-term GDPR compliance strategy is in place, if it isn’t already.

ICO yet to show its teeth

On the face of it, it’s very hard to tell. 6 months in and there are still stories of data breaches on an almost daily basis and we have yet to see any of the mammoth fines which can now be handed out.

The ICO has recently handed out £500K to Facebook, but that related to an incident prior to 25th May 2018 and while there are a number of high-profile data breaches which have occurred post May 25th, we have yet to see what the fines might be.

GDPR was not designed as a mechanism to make money, but rather as one to keep personal information safe. It is a topic of conversation at the boardroom level, and organizations are slowing putting processes (and technology) in place to comply with it.

However, until the ICO shows its teeth it is difficult to say whether personal information is any safer today than it was 6 months ago.

Europe’s biggest export?

Regulators can be pleased with the magnitude of engagement with GDPR, and the fact it has helped to tip the dialogue in favour of privacy having a fundamental role in society.

The media agenda has shifted; consumers now increasingly expect transparency and more careful management of their data, and tech leaders have spoken openly about the importance of trust and putting privacy first.

The GDPR may also turn out to be one of Europe’s biggest exports: it is now inspiring (or at least informing) similar laws around the world, from India to China, from California to Brazil.

The EU regulators have introduced a pioneering piece of legislation that looks likely to set the bar for data privacy standards around the world, and offers opportunities for closer working practices among international privacy professionals in business and the regulators they engage with.

Aadhaar database breach

India’s database containing the identity numbers, demographic and biometrics of 1.1 billion citizens is one of the largest databases on the planet.

This year it has been plagued by vulnerabilities.

An investigation by The Tribune found in January that Rs500 (around £5) gets you access to the details of anyone on the Aadhaar database.

Reported: 03/01/18

Occurred: 03/01/18

Damage: Difficult to put number on accessed data, but multiple security flaws found throughout rest of year have eroded trust in the system

Method: Anonymous sellers offered access to personal details of 1.1bn people over WhatsApp

Culprit: Vulnerability exploit

Location: India

Teething issues yet to be resolved

Six months on, regulators will expect firms' GDPR teething issues to be resolved. But the truth is that firms have been distracted by privacy and cookie policy concerns and simply aren't doing enough to ensure data is held securely and only available to those authorised.

Firms are still too reliant on in-house systems where data protection does not form part of the fabric of the technical architecture.

And worse, many still use spreadsheets and email as methods of storing and distributing sensitive data. Until these issues are addressed, firms are continuing to leave themselves exposed to a breach of terms and potentially damaging fines.

“Multiplicity” of implementations hard for users to understand

To answer whether GDPR is working or not, you need to look at why it was brought in in the first place. The main aim was to make it easier for EU citizens to understand how their data is being used.

I would argue that the multiplicity of ways it has been implemented across websites makes it hard for users to understand what they are confirming or consenting to for their data usage.

As GDPR wants specific consent for specific purposes, I would question whether a user of a website, for example, would understand the difference between functional cookies versus strictly necessary cookies.

“Questionable” success regarding Google and Facebook

Mostly yes, because regulators have largely succeeded in achieving their aims of reasserting the individual’s right to privacy, and in harmonising regulations across Europe. Companies that had grown complacent about the way they collected and used personal data are now much more mindful about capturing consent and treating customers accordingly.

GDPR has created a culture in which marketers are much more likely to ask, ‘Is this legitimate?’, ‘Is this what the customer signed up for?’, and most importantly, ‘Are they getting value out of this relationship?’.

Where the success of GDPR is questionable is regarding data giants such as Google and Facebook.

When people click ‘agree’ to terms and conditions do they fully understand how much data is being captured by these behemoths and how it is being used? Closer regulation and greater transparency may be required to restore public trust.

Many organisations in “relaxed” status quo

From what we have seen at Exonar, although most organisations have made some changes, as May passed many relaxed into a status quo where they have accepted their steps towards compliance but very few have fully achieved or are executing on a plan which takes them to full compliance.

Our view is that at the very least organisations should have a reliable system for identifying and mapping the personal data that they hold so that they can fully understand their risk.

AI roadblock

GDPR has certainly been an important step in the right direction for consumer rights within the European Union but when it comes to AI, the regulation hits a bit of a roadblock.

For example, in any given scenario, a scientist or engineer that built the machine would not know how or why the system has come to the decision it’s come to - and that’s the problem when you’re applying GDPR.

GDPR assumes that all technology is white box but that’s not necessarily the case. Machine learning solutions are inherently black box.

Another issue with AI is that Article 22 of GDPR states that if you use automated decision making, you cannot rely on legitimate interest as a lawful basis for processing.

So while the aims of the legislation are laudable, there is a wave of technological adoption in relation to machine learning that I think is unassailable, and it’s going to happen whether or not the GDPR is in place.

Businesses, therefore, will need to be more creative in the way they tackle GDPR, and regulators will need to be more flexible in how they apply the principles under GDPR.

“Compliance is a marathon race”

It is certainly too early to say if GDPR is working or not. GDPR compliance is a marathon race that requires endurance, not a speed race and this is because the modern enterprise is operating in a fast changing environment.

Those who have made the sprint to comply until the deadline need to prove being on top of changes that introduce new types of personal data, by performing due diligence to new partners and subcontractors and sign the respective agreements or by proving their capability to detect and report incidents and manage their data in their ecosystem effectively.

An increase of data protection complaints has been noticed but this can be distracting as it may be due to the increased awareness of the data subjects rather than the actual performance of organizations to protect the data. So far, GDPR has certainly made an impact in at least developing a level of data protection capability in a critical mass of organisations. Those will have to keep the momentum and most importantly pull the rest in todays connected way of doing business.

Current tools “falling short”

Businesses have survived six months of GDPR, and now it’s time for them to start focusing on the finer details to make sure they are implementing it in a practical way for their customers too, preventing any headaches further down the line.

The right to data portability is one of the most fundamental, but also most contentious rights within the GDPR.

In an attempt to be GDPR-compliant, businesses scrambled to put together some form of data portability. Despite aiming to benefit consumers, they are instead being put at risk.

There are three main issues relating to data portability: usability, context and security. Yet data is being provided in difficult-to-decipher spreadsheets – making it hard for consumers to do anything with them.

On the security side, current processes are forcing consumers to take responsibility for something they aren’t qualified to do.

Current tools are falling short of what is required by law, and what is expected by customers.

“GDPR has not fully succeeded”

Complaints to the Information Commissioners’ Office (ICO) about potential data breaches have more than doubled since GDPR came into force. This suggests it’s working in terms of tightening security around personal data and raising awareness of the importance of this.

However, it also indicates that GDPR has not fully succeeded in bringing organisations in line with its requirements. Enterprises of all sizes, in all sectors, continue to be caught out by basic gaps in their security strategies.

Research carried out by Apricorn in May found that two thirds of UK companies were not confident they’d be fully compliant with GDPR in time for the deadline. More than 80% cited at least one area in which they believed they might fall short, with a lack of understanding of their data the top-ranking concern. In light of this, it’s very likely that many organisations are still not operating completely within the guidelines.

Too early to say

It is too early to say whether GDPR delivered on all its goals but it has definitely made companies in the EU and abroad pay more attention to how they hold customers’ data, and whether they keep it at all.

According to figures released by the ICO, the number of data breach reports have soared since GDPR came into effect.

It is difficult to know whether this enhanced level of reporting has translated into tangible security improvements, but customers certainly benefit from the increased transparency, so in that sense GDPR has served as an empowering force for the general populace.

Quite successful to date

Since GDPR took effect in May, it has been omnipresent in the lives of marketers, consumers, publishers, and brands across industries. Three months in, only 20% of companies were compliant, globally, and many still haven’t set themselves up to be accessible within the European market.

With that said, while many across the EU have endured an influx of emails, there’s a strong opportunity presented here by regulators. We’re not only seeing a shift in power in favour of the consumer, but also the ability for companies to highly target those consumers interested in their products and services. By engaging with more relevant audiences, brands in all sectors are in a better position to reach their end users and improve their bottom lines.

While regulators may continue to struggle with the nitty-gritty details of GDPR’s implementation, I think its original intended outcome has been quite successful to date, and will see increasing success as companies globally adopt the regulations.

Still a large amount of work to be done

There is no doubt that the implementation of the GDPR back in May has helped encourage businesses to gain consent before marketing to individuals and ensure they protect collated data.

However, there is still a large amount of work to be done to reach the desirable outcome intended by the regulators, with most concern being placed on monitoring the security of one’s own enterprise.

Six months on, there are clear signs that businesses are searching for ways around GDPR as their business model relies on the selling and operating of customer data.

Much to the dismay of the regulators, businesses are sending out more encrypted data back to browsers and claiming legitimate consent through the acceptance of “cookies” - a step back from the intended, clear opt-in businesses have been asked to gain and provide proof of.

GDPR has certainly been a step in the right direction, but there’s still some creases to be ironed out to ensure a smooth, GDPR complaint business world.

Still some confusion

GDPR has certainly made organisations much more aware of the importance of securing and processing PII than before its introduction – so if its aim was to raise awareness, it has definitely done so.

Everyone still seems focused on GDPR requirements and therefore designing their systems with data protection in mind, organisations have their DPOs in place and in most organisations the awareness of GDPR goes up to board level.

There is still some level of confusion on lawful basis and legitimate interest, but this is slowly decreasing as things settle down.

Still early days

The ICO in the UK has announced that the first fines are expected to come down the line at the end of this year.

This is particularly daunting taking into account that around 70% of UK businesses indicate they have not taken all of the required steps to become compliant.

Having said that, working towards compliancy and demonstrating that you are making progress will go a long way in avoiding fines.

If you look at the enforcement action section of the ICO’s website, it shows that most notices still relate to the 1998 Data Protection Act. Therefore we must conclude it is still early days and more court decisions relating to the GDPR are needed to clear up any remaining confusion.

“GDPR was never meant to bayonet the wounded”

The temptation is to look for judicial victims and transgressors to see if GDPR is a success or not, but this is a mistake. GDPR was never meant to bayonet the wounded and to slap 4% of turnover fines on everyone in sight. This is not an attempt to pay for the policeman’s ball with speeding tickets on the 30th of the month.

Instead, GDPR is about the rights of citizens and the need for customers to treat privacy and security correctly and customer data as a privilege and not a right. From that regard, GDPR is a success: companies internationally have revamped security programs, re-worked missions, emphasised privacy for real as a priority and have renewed dialogs between CPOs, CSOs and CIOs with the business at large.

In fact, we are seeing a rise of Chief Digital Officers too; and now we’re seeing copycat legislation in other jurisdictions too, which is the surest sign of success. Long term, GDPR has a long way to go filled with whistleblowing, fines, politics, diplomacy and more; but 6 months in it looks to be a success for citizens, for privacy and for security despite the pain, the hype and the consultants who have billed millions of hours in the interim.

“GDPR to most people still means those annoying pop ups”

We need to judge the GDPR against its aims - to protect individuals’ personal information and to give those individuals rights in relation to that information.

The number of data breaches reported to the regulator each month suggests that personal information is not getting the protection the GDPR demands. At the same time, whilst individuals may be more aware of the importance of protecting their personal information, those same individuals are not typically aware of all their rights in relation to it.

Unfortunately, the GDPR to most people still means those annoying pop ups on websites related to marketing preferences or cookies.

“Only partly”

The answer, I am afraid, is only partly. Many companies have been waiting to see how many Data Subject Requests they would receive before deciding how much to invest in their GDPR projects.

This is short-sighted as most fines to date have started from a data breach, so the accurate storing, deleting and protection of personal data is crucial, not only for compliance, but to a firm’s bottom line and this is not driven by the number of Data Subject Access requests.

The key question is though, why are consumers not making more requests? This is partly down to the difficult process some companies put in place to make a request and consumer awareness. In the US, there is a new regulation called CCPA (Californian Consumer Privacy Act) which requires companies to have a “Do not sell my data” button clearly marked on their website.

Having such an easy to access feature will surely drive higher usage, which is what the regulators wanted with GDPR.

Carrot instead of the stick

There’s a feeling that so far the ICO has approached GDPR using the carrot instead of the stick - helping businesses become compliant instead of punishing those who aren’t. We haven’t seen the huge fines that might have been expected but this will likely change as we move into 2019 and the ICO becomes less sympathetic.

I believe where we’ll see the biggest shift is in the penalising of internal breaches within companies where businesses are focused on customer data compliance without considering their own internal processes.

GDPR should be seen for what it is

The GDPR should be seen for what it is, an update on the Data Protection Directive looking to promote transparency and fairness of data use.

Those looking to measure its success as a punitive measure that fines major companies will be disappointed so far, as it’s a slow process that takes time to process.

Whether or not the regulators will be satisfied with the GDPR six months in is a tough one to answer.

Ultimately, the purpose of the regulation is to change the mindsets of major businesses from one of ticking compliancy boxes to one of actively trying to be more responsible and transparent with data.

What will give regulators heart so far is most likely the impact the GDPR has had outside the EU, for example in America with legislation such as California’s Consumer Privacy Act following the example the GDPR has set. This shows that data protection is gaining more attention globally.

The ineffectiveness of GDPR

Pre-GDPR consumers were unaware of how their data was being used. Now, in the age of big data and machine learning, data can be used in a multitude of ways, yet GDPR has not properly addressed the issue of ‘tacit’ consent.

Since GDPR was introduced, we’ve seen the impact other firms have had whose business models rely on acquiring consumer data at scale. We’ve watched as tech titans adjust their framework to allow users to be in control of their data, rather than businesses. But even with consumers having the power to hold companies accountable, we are still seeing the ineffectiveness of GDPR.

With companies still having over a year left to get their businesses following the new set of rules, we hope that soon we will see whether marketers and consumers have mutually benefitted from the legislation.

For now, we can still expect to see a flurry of activity, as individuals and firms argue whether or not their interpretation of GDPR requirements is the correct one.

Companies are more responsible as a result of GDPR

Whilst it’s easy in hindsight to criticise the regulators (and trade bodies) regarding the implementation and interpretation of certain elements of GDPR, the data landscape has definitely improved.

The topic of personal data has been elevated to the boardroom and is at last receiving the respect it deserves. This is important, as the data explosion over the last decade has driven some elements of personal data to become commoditised and disrespected.

Data trails should be treated like transactions on a current account—they are personal and portray valuable behaviour in much the same way.

GDPR has caused companies to become more responsible. They have had to ask themselves why they are storing and using data. They must be more transparent and able to justify what they are doing. Importantly, consumers are more aware of how their data is used and will ask questions if they feel it is being misused.

As GDPR best practice starts to become clear, emerging from the varying guidance and advice that has so-far been in the market, the landscape will continue to improve.

The cybersecurity perspective

From a cybersecurity perspective, contrary to what headlines may suggest, my experience has been that many organisations have noticeably improved their security posture or, at the very least, are paying closer attention to how they store, transmit, and process personally identifiable information.

While GDPR didn’t prescribe what good looks like or even what bad looks like, it does appear that its overarching mandate, in combination with its clarity of potential ramification has been the right recipe to wake many businesses from their cyber security slumber.

Hurdles to overcome

GDPR has forced a long-overdue shift towards viewing consumers as individuals, with different needs, preferences and privacy concerns.

Overall this has to be a positive signal that demonstrates that the digital advertising marketplace is growing up and taking consumer concerns seriously.

The response of websites has varied widely with some large US based publishers even deciding to ignore European audiences altogether.

The next hurdle to overcome for the digital advertising ecosystem will be the ePrivacy directive and the resulting potential for much more power to be put in the hands of the browsers.

As we have seen with Safari browser cookie restrictions this year, this could result in further significant changes in the marketplace, so it’s essential that brands and agencies are ready for that. We think that the ability to target user intent in real time will be one of the ways in which the advertising ecosystem adapts to this change.